integrity: provide a function to load x509 certificate from the kernel

Provide the function to load x509 certificates from the kernel into the integrity kernel keyring. Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

integrity: provide a function to load x509 certificate from the kernel
Provide the function to load x509 certificates from the kernel into the integrity kernel keyring. Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Dmitry Kasatkin · Mimi Zohar
1 parent e3c4abbfa9
Showing 2 changed files with 37 additions and 1 deletions Side-by-side Diff
security/integrity/digsig.c
security/integrity/integrity.h
@@ -14,7 +14,7 @@
  
 #include <linux/err.h>
 #include <linux/sched.h>
-#include <linux/rbtree.h>
+#include <linux/slab.h>
 #include <linux/cred.h>
 #include <linux/key-type.h>
 #include <linux/digsig.h>
@@ -83,5 +83,39 @@
 		keyring[id] = NULL;
 	}
 	return err;
+}
+
+int __init integrity_load_x509(const unsigned int id, char *path)
+{
+	key_ref_t key;
+	char *data;
+	int rc;
+
+	if (!keyring[id])
+		return -EINVAL;
+
+	rc = integrity_read_file(path, &data);
+	if (rc < 0)
+		return rc;
+
+	key = key_create_or_update(make_key_ref(keyring[id], 1),
+				   "asymmetric",
+				   NULL,
+				   data,
+				   rc,
+				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+				    KEY_USR_VIEW | KEY_USR_READ),
+				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED);
+	if (IS_ERR(key)) {
+		rc = PTR_ERR(key);
+		pr_err("Problem loading X.509 certificate (%d): %s\n",
+		       rc, path);
+	} else {
+		pr_notice("Loaded X.509 cert '%s': %s\n",
+			  key_ref_to_ptr(key)->description, path);
+		key_ref_put(key);
+	}
+	kfree(data);
+	return 0;
 }
@@ -134,6 +134,7 @@
 			    const char *digest, int digestlen);
  
 int __init integrity_init_keyring(const unsigned int id);
+int __init integrity_load_x509(const unsigned int id, char *path);
 #else
  
 static inline int integrity_digsig_verify(const unsigned int id,
@@ -147,6 +148,7 @@
 {
 	return 0;
 }
+
 #endif /* CONFIG_INTEGRITY_SIGNATURE */
  
 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
...	...	@@ -14,7 +14,7 @@
14	14
15	15	#include <linux/err.h>
16	16	#include <linux/sched.h>
17		-#include <linux/rbtree.h>
	17	+#include <linux/slab.h>
18	18	#include <linux/cred.h>
19	19	#include <linux/key-type.h>
20	20	#include <linux/digsig.h>
...	...	@@ -83,5 +83,39 @@
83	83	keyring[id] = NULL;
84	84	}
85	85	return err;
	86	+}
	87	+
	88	+int __init integrity_load_x509(const unsigned int id, char *path)
	89	+{
	90	+ key_ref_t key;
	91	+ char *data;
	92	+ int rc;
	93	+
	94	+ if (!keyring[id])
	95	+ return -EINVAL;
	96	+
	97	+ rc = integrity_read_file(path, &data);
	98	+ if (rc < 0)
	99	+ return rc;
	100	+
	101	+ key = key_create_or_update(make_key_ref(keyring[id], 1),
	102	+ "asymmetric",
	103	+ NULL,
	104	+ data,
	105	+ rc,
	106	+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	107	+ KEY_USR_VIEW \| KEY_USR_READ),
	108	+ KEY_ALLOC_NOT_IN_QUOTA \| KEY_ALLOC_TRUSTED);
	109	+ if (IS_ERR(key)) {
	110	+ rc = PTR_ERR(key);
	111	+ pr_err("Problem loading X.509 certificate (%d): %s\n",
	112	+ rc, path);
	113	+ } else {
	114	+ pr_notice("Loaded X.509 cert '%s': %s\n",
	115	+ key_ref_to_ptr(key)->description, path);
	116	+ key_ref_put(key);
	117	+ }
	118	+ kfree(data);
	119	+ return 0;
86	120	}
...	...	@@ -134,6 +134,7 @@
134	134	const char *digest, int digestlen);
135	135
136	136	int __init integrity_init_keyring(const unsigned int id);
	137	+int __init integrity_load_x509(const unsigned int id, char *path);
137	138	#else
138	139
139	140	static inline int integrity_digsig_verify(const unsigned int id,
...	...	@@ -147,6 +148,7 @@
147	148	{
148	149	return 0;
149	150	}
	151	+
150	152	#endif /* CONFIG_INTEGRITY_SIGNATURE */
151	153
152	154	#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS